Sunday, April 21, 2013

CISPA: The latest attempt to establish a massive surveillance state

CISPA: The latest attempt to establish a massive surveillance state

UPDATE: SIGN THE ACCESS PETITION, CALLING ON TECHNOLOGY COMPANIES TO STAND UP FOR THE PRIVACY RIGHTS OF USERS AND DROP THEIR SUPPORT OF CISPA.

The internet has been abuzz about what is being hailed as the next PIPA and SOPA. It's called CISPA, or the Cyber Intelligence Sharing and Protection Act of 2011. CISPA is one of several new bills in Congress that deals with online communications, national security, and the role of private corporations. While not directly dealing with copyright (as PIPA and SOPA did), many are saying that CISPA is just the latest attempt for the government to gain more control over the internet -- threatening our civil liberties in the process. While we understand the need for protection against cyber threats, we do not believe the solution is to implement a massive surveillance state proposed in CISPA.

CISPA is deceptively simple. Its chief sponsor is Rep. Mike Rogers, an architect of the PATRIOT Act and current chair of the House Permanent Select Committee on Intelligence. Rogers says that the bill aims to "help the private sector defend itself from advanced cyber threats," but what it does is allow unlimited sharing of personally identifiable data amongst and between private companies and the government, without a single safeguard for privacy or civil liberty. While CISPA does not require that companies share this data, it allows them to share information (email, text messages, etc.) with basically any private or public entity, without fear of reprisal – by lawsuit or law – so long as they act in “good faith.”

Here are our major concerns:

1. The bill's broad definition of entities with a "cybersecurity purpose" nets almost every online actor. Few companies do not take steps to ensure the "integrity" of their networks. Thus, essentially every company is eligible to directly, stealthily share user information with the government or even private cybersecurity providers. What's worse, the bill allows companies to "use cybersecurity systems." As the EFF suggests, “us[ing] cybersecurity systems” is incredibly vague, and could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. These methods violate our trust, and likely conflict with most companies’ privacy policies. Yet CISPA allows them, without even requiring notification to users, for the purpose of uncovering cyber threats, another vague concept.

2. The bill defines cyber threat intelligence and information as that regarding “a vulnerability of, or threat to, a system or network of a government or private entity.” This includes data on “efforts to degrade, disrupt, or destroy such system or network” or “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” The reference to misappropriation of intellectual property throws into doubt the “national security” aim of the bill, raising the specter of SOPA in a Trojan horse. Throwing theft of “government” information into the bill adds another tool in the kit to stop Wikileaks, as well as media organizations, who have a First Amendment right to publish illegally gotten information.

4. CISPA exempts all shared cyber threat information from FOIA requests. The Freedom of Information Act already excepts trade secrets, confidential financial or commercial data, and any law enforcement related information that impinges on personal privacy or is gotten pursuant to a national security investigation or from a confidential source. Each exemption has been abused, and adding one more to this comprehensive list is unnecessary and harmful.

5. It threatens freedom of the press. Dissemination of "government information" is essential to any functioning democracy. But when "government information" is protected from theft or misappropriation under the "cyber threat information" label, it is less likely that anyone will take a chance and publish it. Established court decisions protect the dissemination even of information that publishers know was gotten illegally. A cyber security bill is not the place to overturn free speech jurisprudence, and doing so would only threaten whistleblowers and journalists.

While we understand the issue of cyber security is a major one for companies, CISPA is the wrong approach. Access believes that any cyber security bill should include:

The coordination and sharing of malware threat information,

Civilian, multistakeholder and inter-agency oversight and control

Precisely defined threats to national security and the types of information to be shared

Based on this analysis, and because of the serious threats to civil liberities CISPA poses, Access believes companies should not support this bill. Access will continue to work to make sure that cyber security concerns by companies are addressed.